All individuals who've used services from the Alaska DHHS are being notified that their data was possibly stolen during a cyberattack four months ago. Officials have been transparent about the ongoing criminal investigation and network outages, but the incident spotlights continued challenges faced by government and health departments.

This week’s health care data breach roundup is led by a systems hack and data exfiltration incident at USV Optical. Other incidents include several email hacks, ransomware, and further data theft.

The FTC Health Breach Notification Rule was enacted 10 years ago to protect the privacy and security of consumer health data not covered by HIPAA, but it was never enforced. A policy decision enacted on Sept. 15 will change that.

Millions of school children have their personal data exposed in hackers' leak sites, with a tally from Emsisoft ransomware analyst Brett Callow showing that data from over 1,200 K-12 schools across the U.S. have been published by ransomware groups so far this year, reports NBC News.

X-Force researchers also found cryptominers and ransomware account for more than 50% of detected system compromises.

LifeLong Medical is just now notifying 115,448 patients that their data was compromised during a ransomware attack against one of its vendors, Netgain. However, the initial breach reports were first released more than six months ago, putting the notice far outside the 60-day HIPAA requirement.

Patients impacted by data breaches at Sturdy Memorial Hospital and Dupage Medical filed separate lawsuits alleging claims that center around inadequate security measures. With the Supreme Court defining actual harm in a June decision, it’s unclear how the cases will proceed.

The Jenkins project reported Friday that one of its servers was successfully attacked by hackers using a recently warned about Confluence vulnerability to install a cryptocurrency miner.

Representatives from critical infrastructure hammered at two key differences between the House and Senate versions of the bill: the amount of time that entities would have to report a cyber incident, and the level of certainly that would need to be present before doing so.